StoriLeaf
Start Your Story

Privacy

Privacy policy for StoriLeaf.

This policy explains how StoriLeaf handles account details, payments, story content, photographs, messages, delivery details, cookies, and privacy rights.

Contact usTerms

Last updated: 1 May 2026

Who this policy applies to

This Privacy Policy explains how StoriLeaf collects, uses, shares, stores, and protects personal data when you visit the website, contact us, create an account, purchase a package, use a StoriLeaf story experience, or receive a StoriLeaf gift.

StoriLeaf is the data controller for the personal data described in this policy. This policy is written to align with applicable privacy laws, including India's Digital Personal Data Protection Act, 2023. If you are in the UK or EU, GDPR-style disclosures and rights may also apply.

What we collect

We collect only the information needed to provide, support, protect, and improve StoriLeaf.

  • Account and profile details, such as name, email address, password, and storyteller or buyer details you choose to provide.
  • Purchase and billing information, such as package purchased, payment status, invoices, order references, and transaction references. Full card details are handled by payment processors and are not stored by StoriLeaf.
  • Delivery details, such as recipient name, address, phone number where a courier requires it, and delivery updates.
  • Story content you provide, such as written answers, uploaded photographs, captions, voice recordings where supported, draft review notes, and approved final content.
  • Communications you send to us, including contact form messages, feedback, support requests, replies, and related metadata.
  • Website and device data, such as IP address, browser type, device information, pages viewed, cookie choices, and similar analytics or security information.

How we use your data

We use personal data for clear service, support, safety, and legal purposes.

  • To create and manage accounts, story projects, buyer and storyteller roles, invitations, drafts, and final outputs.
  • To process payments, issue receipts, manage invoices, prepare printed keepsakes, and arrange delivery.
  • To save your work, support draft review, organise photographs and story material, and deliver the selected StoriLeaf package.
  • To respond to contact, support, and feedback messages.
  • To send service messages about account access, invitations, expiry reminders, draft review, printing, delivery, policy updates, and important changes.
  • To send newsletters or updates only where you have opted in or where permitted by law. You can opt out of marketing messages.
  • To maintain security, prevent misuse or fraud, troubleshoot issues, measure website performance, and improve reliability.
  • To keep records required by tax, accounting, consumer protection, or other legal obligations.

Legal basis for processing

Depending on where you live, we rely on one or more lawful bases.

  • Contract, where processing is needed to provide the service or package you purchased or received.
  • Consent, for optional marketing, some cookies, and any public use of private story material.
  • Legitimate interests, for service security, fraud prevention, support, analytics, and improvement where those interests do not override your rights.
  • Legal obligation, for tax, accounting, compliance, dispute handling, and lawful requests.

How we share data

We do not sell personal data or story content.

We share data only as needed to run StoriLeaf and provide the selected service.

  • Payment processors, to process payments and prevent fraud.
  • Cloud and hosting providers, to store and protect account, project, and website data.
  • Email and messaging providers, to send service emails, invitation messages, reminders, review links, and support replies.
  • Printing and delivery partners, to print and ship approved keepsakes. They receive only what they need, such as print files and delivery details.
  • Professional advisers, auditors, insurers, courts, regulators, or authorities where needed for legal claims, compliance, or lawful requests.

Story privacy and human access

Your story content is private by default.

Only you, invited participants, and authorised StoriLeaf team members involved in editorial preparation, layout preparation, support, quality checks, printing, or fulfilment can access private story material, and only as needed to provide the service.

We will never publish excerpts, photographs, recordings, or any part of your private story publicly without explicit permission.

Retention, expiry, and deletion

We keep personal data only as long as needed for the purposes described in this policy.

  • During an active story project, we store story content, photographs, recordings, draft material, and project details so the story can be completed.
  • Package validity and extension rules may apply. Reminder messages may be sent before expiry.
  • After expiry, a grace period may apply before content is deleted if no extension or continuation is arranged.
  • After submission, story material may be locked for changes while draft preparation, review, printing, and final delivery are completed.
  • Purchase, invoice, transaction, tax, and compliance records may be retained longer where required by law.
  • Limited backup copies may exist for a short period for security and disaster recovery, then are deleted according to backup schedules.

Security

We use reasonable technical and organisational safeguards designed to protect personal data, including access controls, secure storage practices, and private handling of story material.

No system is completely secure. If a security incident affects personal data, we will investigate and notify affected people or authorities where required.

Your rights

Your rights depend on your location, but may include the ability to access, correct, delete, restrict, object to, or receive a copy of your personal data.

  • If you are covered by India's DPDP Act, you may have rights such as correction, erasure, grievance redressal, and withdrawal of consent where applicable.
  • If you are covered by GDPR or UK GDPR, you may have rights such as access, rectification, erasure, restriction, objection, portability, and complaint to a supervisory authority.
  • We may need to verify your identity before fulfilling a privacy request.

Cookies and analytics

We may use cookies and similar technologies for essential site functionality, security, analytics, performance, and remembering preferences.

  • You can control cookies through your browser settings.
  • Some cookies are required for the site or account features to work properly.
  • Third-party services embedded on the site, such as video hosting or analytics, may set cookies under their own policies.

International transfers

If service providers are located outside your country, personal data may be processed in other jurisdictions. We take reasonable steps to use appropriate safeguards for such transfers.

Children

StoriLeaf is intended for adults. If you believe a minor has provided personal data without appropriate authorisation, contact us and we will take appropriate action.

Changes and contact

We may update this policy from time to time. The date below shows the latest version. If changes are material, we will take reasonable steps to notify affected users.

For privacy questions or rights requests, use the StoriLeaf contact form and include enough information for us to identify and respond to the request.

Contact

Use the contact form for privacy questions, rights requests, delivery concerns, or account support.

Contact StoriLeaf

Stay connected

Story ideas in your inbox.

Get practical prompts, family memory ideas, and occasional StoriLeaf updates.